Back in the days of Windows XP and 7, I used WSUS to manage all updates (manual approval) and would "force" users to apply these by using the "update and shutdown" GPO option (I cannot recall the exact name), this was great.

With Windows 10 I have turned to WSUS as more of a monitoring tool for servers and workstations. I like the idea of dual scan, I used the "Select when Preview Builds and Feature Updates are received" GPO policy to pause feature updates, this works well. I have additional GPO settings that control the install of updates and stop automatic restarts etc, these are also good.

I am still nervous letting workstations install updates without my consent, I don't think I can get around this if I use dual scan.

I am still nervous letting workstations install updates without my consent, I don't think I can get around this if I use dual scan.

What do others do?

Correct - you need to disable dual scan if you want control of things. That's what I've done. I use WSUS pretty much the same way as I always have, testing updates on a few machines, then approving them for everyone.

Setting up a Dual Scan can make clients more flexible in choosing an update channel.If you start a Dual Scan, the client in Windows 10 may install and download feature updates that are not approved by WSUS directly. This is not conducive to the sense of security of enterprises.

I suggest that you consider turning off Dual Scanning. Let all clients get updates from WSUS normally. Consider creating a separate OU that is dedicated to testing updates. After the test is successful, it is deployed to the enterprise environment.